110 likes | 191 Views
Update on Privacy Issues at USU. October 10, 2013. USU Privacy Breaches. 5 breaches have already occurred in 2013 – more than in previous years. Breaches in the last 2 years could have affected over 21,100 individuals’ personal identification information and/or personal health information.
E N D
Update on Privacy Issues at USU October 10, 2013
USU Privacy Breaches • 5 breaches have already occurred in 2013 – more than in previous years. • Breaches in the last 2 years could have affected over 21,100 individuals’ personal identification information and/or personal health information.
Washington Post Report Largest data breach in Federal Government history led to loss of 26.5 million veterans’ data
Recent USU Privacy Breaches • PII & PHI located on personal computer and sent in unencrypted email • PII on an unencrypted external hard drive not issued by the university or government • Email with PII sent to unintended recipients • PII sent via an open distribution lists • Shared documents with PII using Google Apps • Stolen laptop from car with unencrypted PHI and PII • Stolen research laptop from home • PII uploaded to a publicly accessible server
PII Definition – DoD 5411.11-R • Personally Identifiable Information – Information about an individual that identifies, links, relates, or is unique to, or describes him or her and is linked or linkable to a specified individual. • Social Security Number • Date of Birth • Passport Number • Financial account number • Biometric Identifiers • Mother’s maiden name • Birthplace • Credit card number • Home Address/Phone/Cell • Protected Health Information (PHI) • Full Name • Genetic information • Other personal information
Consequences of Potential Breach Period of Investigation *US Computer Emergency Readiness Team
Consequences of a Breach • Having individual certified registered letters sent to every potentially affected individual. • Providing Year-long credit monitoring through a 3rd party. • Example: monitoring credit costs ~$10 / person / year. A PII breach consisting of 3,000 research participants would cost the responsible department at least $30,000 / year. • Potentially incur a fine for violation of the Privacy Act (personnel and/or agency).
Pop Quiz 1. What is the length of time from discovery of loss or suspected loss of PII that a Command or Unit must submit a report to U.S. Computer Emergency Readiness Team (CERT)? a. One hour b. Within 24 hours c. Two business days d. Up to one week
Pop Quiz 2. Among the list below, what is the number one cause for USU PII/PHI breaches? a. Insider threat b. Computer hackers c. Human error d. Phishing
Pop Quiz 3. Which of the following methods are safe for sending PII/PHI? • Personal email • USU .edu Google Mail • Encrypted email • .mil email • All of the above • None of the above
Suggestions on the Way Ahead • Require online Privacy Training and annual refresher training • Create a University-wide centralize tracking system • Any other or better suggestions?????